-# $OpenBSD: cert-hostkey.sh,v 1.26 2021/09/30 05:20:08 dtucker Exp $
+# $OpenBSD: cert-hostkey.sh,v 1.27 2021/09/30 05:26:26 dtucker Exp $
# Placed in the Public Domain.
tid="certified host keys"
}
# Basic connect and revocation tests.
- for ktype in $PLAIN_TYPES ; do
- verbose "$tid: host ${ktype} cert connect"
- (
- cat $OBJ/sshd_proxy_bak
- echo HostKey $OBJ/cert_host_key_${ktype}
- echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
- ) > $OBJ/sshd_proxy
+for ktype in $PLAIN_TYPES ; do
+ verbose "$tid: host ${ktype} cert connect"
+ (
+ cat $OBJ/sshd_proxy_bak
+ echo HostKey $OBJ/cert_host_key_${ktype}
+ echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+ ) > $OBJ/sshd_proxy
- # test name expect success
- attempt_connect "$ktype basic connect" "yes"
- attempt_connect "$ktype empty KRL" "yes" \
- -oRevokedHostKeys=$OBJ/host_krl_empty
- attempt_connect "$ktype KRL w/ plain key revoked" "no" \
- -oRevokedHostKeys=$OBJ/host_krl_plain
- attempt_connect "$ktype KRL w/ cert revoked" "no" \
- -oRevokedHostKeys=$OBJ/host_krl_cert
- attempt_connect "$ktype KRL w/ CA revoked" "no" \
- -oRevokedHostKeys=$OBJ/host_krl_ca
- attempt_connect "$ktype empty plaintext revocation" "yes" \
- -oRevokedHostKeys=$OBJ/host_revoked_empty
- attempt_connect "$ktype plain key plaintext revocation" "no" \
- -oRevokedHostKeys=$OBJ/host_revoked_plain
- attempt_connect "$ktype cert plaintext revocation" "no" \
- -oRevokedHostKeys=$OBJ/host_revoked_cert
- attempt_connect "$ktype CA plaintext revocation" "no" \
- -oRevokedHostKeys=$OBJ/host_revoked_ca
- done
+ # test name expect success
+ attempt_connect "$ktype basic connect" "yes"
+ attempt_connect "$ktype empty KRL" "yes" \
+ -oRevokedHostKeys=$OBJ/host_krl_empty
+ attempt_connect "$ktype KRL w/ plain key revoked" "no" \
+ -oRevokedHostKeys=$OBJ/host_krl_plain
+ attempt_connect "$ktype KRL w/ cert revoked" "no" \
+ -oRevokedHostKeys=$OBJ/host_krl_cert
+ attempt_connect "$ktype KRL w/ CA revoked" "no" \
+ -oRevokedHostKeys=$OBJ/host_krl_ca
+ attempt_connect "$ktype empty plaintext revocation" "yes" \
+ -oRevokedHostKeys=$OBJ/host_revoked_empty
+ attempt_connect "$ktype plain key plaintext revocation" "no" \
+ -oRevokedHostKeys=$OBJ/host_revoked_plain
+ attempt_connect "$ktype cert plaintext revocation" "no" \
+ -oRevokedHostKeys=$OBJ/host_revoked_cert
+ attempt_connect "$ktype CA plaintext revocation" "no" \
+ -oRevokedHostKeys=$OBJ/host_revoked_ca
+done
# Revoked certificates with key present
kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig
done
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
- for ktype in $PLAIN_TYPES ; do
- verbose "$tid: host ${ktype} revoked cert"
- (
- cat $OBJ/sshd_proxy_bak
- echo HostKey $OBJ/cert_host_key_${ktype}
- echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
- ) > $OBJ/sshd_proxy
+for ktype in $PLAIN_TYPES ; do
+ verbose "$tid: host ${ktype} revoked cert"
+ (
+ cat $OBJ/sshd_proxy_bak
+ echo HostKey $OBJ/cert_host_key_${ktype}
+ echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+ ) > $OBJ/sshd_proxy
- cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
- ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
- -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- fail "ssh cert connect succeeded unexpectedly"
- fi
- done
+ cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
+ ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+ -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+ fi
+done
# Revoked CA
kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
-# $OpenBSD: cert-userkey.sh,v 1.27 2021/09/30 05:20:08 dtucker Exp $
+# $OpenBSD: cert-userkey.sh,v 1.28 2021/09/30 05:26:26 dtucker Exp $
# Placed in the Public Domain.
tid="certified user keys"
# Test explicitly-specified principals
for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
t=$(kname $ktype)
- _prefix="${ktype}"
+ _prefix="${ktype}"
- # Setup for AuthorizedPrincipalsFile
- rm -f $OBJ/authorized_keys_$USER
- (
- cat $OBJ/sshd_proxy_bak
- echo "AuthorizedPrincipalsFile " \
- "$OBJ/authorized_principals_%u"
- echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
- echo "PubkeyAcceptedAlgorithms ${t}"
- ) > $OBJ/sshd_proxy
- (
- cat $OBJ/ssh_proxy_bak
- echo "PubkeyAcceptedAlgorithms ${t}"
- ) > $OBJ/ssh_proxy
+ # Setup for AuthorizedPrincipalsFile
+ rm -f $OBJ/authorized_keys_$USER
+ (
+ cat $OBJ/sshd_proxy_bak
+ echo "AuthorizedPrincipalsFile " \
+ "$OBJ/authorized_principals_%u"
+ echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+ echo "PubkeyAcceptedAlgorithms ${t}"
+ ) > $OBJ/sshd_proxy
+ (
+ cat $OBJ/ssh_proxy_bak
+ echo "PubkeyAcceptedAlgorithms ${t}"
+ ) > $OBJ/ssh_proxy
- # Missing authorized_principals
- verbose "$tid: ${_prefix} missing authorized_principals"
- rm -f $OBJ/authorized_principals_$USER
- ${SSH} -i $OBJ/cert_user_key_${ktype} \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- fail "ssh cert connect succeeded unexpectedly"
- fi
+ # Missing authorized_principals
+ verbose "$tid: ${_prefix} missing authorized_principals"
+ rm -f $OBJ/authorized_principals_$USER
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+ fi
- # Empty authorized_principals
- verbose "$tid: ${_prefix} empty authorized_principals"
- echo > $OBJ/authorized_principals_$USER
- ${SSH} -i $OBJ/cert_user_key_${ktype} \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- fail "ssh cert connect succeeded unexpectedly"
- fi
+ # Empty authorized_principals
+ verbose "$tid: ${_prefix} empty authorized_principals"
+ echo > $OBJ/authorized_principals_$USER
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+ fi
- # Wrong authorized_principals
- verbose "$tid: ${_prefix} wrong authorized_principals"
- echo gregorsamsa > $OBJ/authorized_principals_$USER
- ${SSH} -i $OBJ/cert_user_key_${ktype} \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- fail "ssh cert connect succeeded unexpectedly"
- fi
+ # Wrong authorized_principals
+ verbose "$tid: ${_prefix} wrong authorized_principals"
+ echo gregorsamsa > $OBJ/authorized_principals_$USER
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+ fi
- # Correct authorized_principals
- verbose "$tid: ${_prefix} correct authorized_principals"
- echo mekmitasdigoat > $OBJ/authorized_principals_$USER
- ${SSH} -i $OBJ/cert_user_key_${ktype} \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -ne 0 ]; then
- fail "ssh cert connect failed"
- fi
+ # Correct authorized_principals
+ verbose "$tid: ${_prefix} correct authorized_principals"
+ echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -ne 0 ]; then
+ fail "ssh cert connect failed"
+ fi
- # authorized_principals with bad key option
- verbose "$tid: ${_prefix} authorized_principals bad key opt"
- echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
- ${SSH} -i $OBJ/cert_user_key_${ktype} \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- fail "ssh cert connect succeeded unexpectedly"
- fi
+ # authorized_principals with bad key option
+ verbose "$tid: ${_prefix} authorized_principals bad key opt"
+ echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+ fi
- # authorized_principals with command=false
- verbose "$tid: ${_prefix} authorized_principals command=false"
- echo 'command="false" mekmitasdigoat' > \
- $OBJ/authorized_principals_$USER
- ${SSH} -i $OBJ/cert_user_key_${ktype} \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- fail "ssh cert connect succeeded unexpectedly"
- fi
+ # authorized_principals with command=false
+ verbose "$tid: ${_prefix} authorized_principals command=false"
+ echo 'command="false" mekmitasdigoat' > \
+ $OBJ/authorized_principals_$USER
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+ fi
- # authorized_principals with command=true
- verbose "$tid: ${_prefix} authorized_principals command=true"
- echo 'command="true" mekmitasdigoat' > \
- $OBJ/authorized_principals_$USER
- ${SSH} -i $OBJ/cert_user_key_${ktype} \
- -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
- if [ $? -ne 0 ]; then
- fail "ssh cert connect failed"
- fi
+ # authorized_principals with command=true
+ verbose "$tid: ${_prefix} authorized_principals command=true"
+ echo 'command="true" mekmitasdigoat' > \
+ $OBJ/authorized_principals_$USER
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
+ if [ $? -ne 0 ]; then
+ fail "ssh cert connect failed"
+ fi
- # Setup for principals= key option
- rm -f $OBJ/authorized_principals_$USER
- (
- cat $OBJ/sshd_proxy_bak
- echo "PubkeyAcceptedAlgorithms ${t}"
- ) > $OBJ/sshd_proxy
- (
- cat $OBJ/ssh_proxy_bak
- echo "PubkeyAcceptedAlgorithms ${t}"
- ) > $OBJ/ssh_proxy
+ # Setup for principals= key option
+ rm -f $OBJ/authorized_principals_$USER
+ (
+ cat $OBJ/sshd_proxy_bak
+ echo "PubkeyAcceptedAlgorithms ${t}"
+ ) > $OBJ/sshd_proxy
+ (
+ cat $OBJ/ssh_proxy_bak
+ echo "PubkeyAcceptedAlgorithms ${t}"
+ ) > $OBJ/ssh_proxy
- # Wrong principals list
- verbose "$tid: ${_prefix} wrong principals key option"
- (
- printf 'cert-authority,principals="gregorsamsa" '
- cat $OBJ/user_ca_key.pub
- ) > $OBJ/authorized_keys_$USER
- ${SSH} -i $OBJ/cert_user_key_${ktype} \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- fail "ssh cert connect succeeded unexpectedly"
- fi
+ # Wrong principals list
+ verbose "$tid: ${_prefix} wrong principals key option"
+ (
+ printf 'cert-authority,principals="gregorsamsa" '
+ cat $OBJ/user_ca_key.pub
+ ) > $OBJ/authorized_keys_$USER
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+ fi
- # Correct principals list
- verbose "$tid: ${_prefix} correct principals key option"
- (
- printf 'cert-authority,principals="mekmitasdigoat" '
- cat $OBJ/user_ca_key.pub
- ) > $OBJ/authorized_keys_$USER
- ${SSH} -i $OBJ/cert_user_key_${ktype} \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -ne 0 ]; then
- fail "ssh cert connect failed"
- fi
+ # Correct principals list
+ verbose "$tid: ${_prefix} correct principals key option"
+ (
+ printf 'cert-authority,principals="mekmitasdigoat" '
+ cat $OBJ/user_ca_key.pub
+ ) > $OBJ/authorized_keys_$USER
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -ne 0 ]; then
+ fail "ssh cert connect failed"
+ fi
done
basic_tests() {
for ktype in $PLAIN_TYPES ; do
t=$(kname $ktype)
- _prefix="${ktype} $auth"
- # Simple connect
- verbose "$tid: ${_prefix} connect"
- (
- cat $OBJ/sshd_proxy_bak
- echo "PubkeyAcceptedAlgorithms ${t}"
- echo "$extra_sshd"
- ) > $OBJ/sshd_proxy
- (
- cat $OBJ/ssh_proxy_bak
- echo "PubkeyAcceptedAlgorithms ${t}"
- ) > $OBJ/ssh_proxy
-
- ${SSH} -i $OBJ/cert_user_key_${ktype} \
- -F $OBJ/ssh_proxy somehost true
- if [ $? -ne 0 ]; then
- fail "ssh cert connect failed"
- fi
+ _prefix="${ktype} $auth"
+ # Simple connect
+ verbose "$tid: ${_prefix} connect"
+ (
+ cat $OBJ/sshd_proxy_bak
+ echo "PubkeyAcceptedAlgorithms ${t}"
+ echo "$extra_sshd"
+ ) > $OBJ/sshd_proxy
+ (
+ cat $OBJ/ssh_proxy_bak
+ echo "PubkeyAcceptedAlgorithms ${t}"
+ ) > $OBJ/ssh_proxy
- # Revoked keys
- verbose "$tid: ${_prefix} revoked key"
- (
- cat $OBJ/sshd_proxy_bak
- echo "RevokedKeys $OBJ/cert_user_key_revoked"
- echo "PubkeyAcceptedAlgorithms ${t}"
- echo "$extra_sshd"
- ) > $OBJ/sshd_proxy
- cp $OBJ/cert_user_key_${ktype}.pub \
- $OBJ/cert_user_key_revoked
- ${SSH} -i $OBJ/cert_user_key_${ktype} \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- fail "ssh cert connect succeeded unexpecedly"
- fi
- verbose "$tid: ${_prefix} revoked via KRL"
- rm $OBJ/cert_user_key_revoked
- ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
- $OBJ/cert_user_key_${ktype}.pub
- ${SSH} -i $OBJ/cert_user_key_${ktype} \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- fail "ssh cert connect succeeded unexpecedly"
- fi
- verbose "$tid: ${_prefix} empty KRL"
- ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
- ${SSH} -i $OBJ/cert_user_key_${ktype} \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -ne 0 ]; then
- fail "ssh cert connect failed"
- fi
- done
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost true
+ if [ $? -ne 0 ]; then
+ fail "ssh cert connect failed"
+ fi
- # Revoked CA
- verbose "$tid: ${ktype} $auth revoked CA key"
+ # Revoked keys
+ verbose "$tid: ${_prefix} revoked key"
(
cat $OBJ/sshd_proxy_bak
- echo "RevokedKeys $OBJ/user_ca_key.pub"
+ echo "RevokedKeys $OBJ/cert_user_key_revoked"
echo "PubkeyAcceptedAlgorithms ${t}"
echo "$extra_sshd"
) > $OBJ/sshd_proxy
- ${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
- somehost true >/dev/null 2>&1
+ cp $OBJ/cert_user_key_${ktype}.pub \
+ $OBJ/cert_user_key_revoked
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpecedly"
+ fi
+ verbose "$tid: ${_prefix} revoked via KRL"
+ rm $OBJ/cert_user_key_revoked
+ ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
+ $OBJ/cert_user_key_${ktype}.pub
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpecedly"
fi
+ verbose "$tid: ${_prefix} empty KRL"
+ ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -ne 0 ]; then
+ fail "ssh cert connect failed"
+ fi
+ done
+
+ # Revoked CA
+ verbose "$tid: ${ktype} $auth revoked CA key"
+ (
+ cat $OBJ/sshd_proxy_bak
+ echo "RevokedKeys $OBJ/user_ca_key.pub"
+ echo "PubkeyAcceptedAlgorithms ${t}"
+ echo "$extra_sshd"
+ ) > $OBJ/sshd_proxy
+ ${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
+ somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpecedly"
+ fi
verbose "$tid: $auth CA does not authenticate"
(
-# $OpenBSD: principals-command.sh,v 1.13 2021/09/30 05:20:08 dtucker Exp $
+# $OpenBSD: principals-command.sh,v 1.14 2021/09/30 05:26:26 dtucker Exp $
# Placed in the Public Domain.
tid="authorized principals command"
$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
# Test explicitly-specified principals
- # Setup for AuthorizedPrincipalsCommand
- rm -f $OBJ/authorized_keys_$USER
- (
- cat $OBJ/sshd_proxy_bak
- echo "AuthorizedKeysFile none"
- echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
- "%u %t %T %i %s %F %f %k %K"
- echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
- echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
- ) > $OBJ/sshd_proxy
-
- # XXX test missing command
- # XXX test failing command
-
- # Empty authorized_principals
- verbose "$tid: empty authorized_principals"
- echo > $OBJ/authorized_principals_$USER
- ${SSH} -i $OBJ/cert_user_key \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- fail "ssh cert connect succeeded unexpectedly"
- fi
-
- # Wrong authorized_principals
- verbose "$tid: wrong authorized_principals"
- echo gregorsamsa > $OBJ/authorized_principals_$USER
- ${SSH} -i $OBJ/cert_user_key \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- fail "ssh cert connect succeeded unexpectedly"
- fi
-
- # Correct authorized_principals
- verbose "$tid: correct authorized_principals"
- echo mekmitasdigoat > $OBJ/authorized_principals_$USER
- ${SSH} -i $OBJ/cert_user_key \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -ne 0 ]; then
- fail "ssh cert connect failed"
- fi
-
- # authorized_principals with bad key option
- verbose "$tid: authorized_principals bad key opt"
- echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
- ${SSH} -i $OBJ/cert_user_key \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- fail "ssh cert connect succeeded unexpectedly"
- fi
-
- # authorized_principals with command=false
- verbose "$tid: authorized_principals command=false"
- echo 'command="false" mekmitasdigoat' > \
- $OBJ/authorized_principals_$USER
- ${SSH} -i $OBJ/cert_user_key \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- fail "ssh cert connect succeeded unexpectedly"
- fi
-
-
- # authorized_principals with command=true
- verbose "$tid: authorized_principals command=true"
- echo 'command="true" mekmitasdigoat' > \
- $OBJ/authorized_principals_$USER
- ${SSH} -i $OBJ/cert_user_key \
- -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
- if [ $? -ne 0 ]; then
- fail "ssh cert connect failed"
- fi
-
- # Setup for principals= key option
- # TODO: remove?
- rm -f $OBJ/authorized_principals_$USER
- (
- cat $OBJ/sshd_proxy_bak
- ) > $OBJ/sshd_proxy
-
- # Wrong principals list
- verbose "$tid: wrong principals key option"
- (
- printf 'cert-authority,principals="gregorsamsa" '
- cat $OBJ/user_ca_key.pub
- ) > $OBJ/authorized_keys_$USER
- ${SSH} -i $OBJ/cert_user_key \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- fail "ssh cert connect succeeded unexpectedly"
- fi
-
- # Correct principals list
- verbose "$tid: correct principals key option"
- (
- printf 'cert-authority,principals="mekmitasdigoat" '
- cat $OBJ/user_ca_key.pub
- ) > $OBJ/authorized_keys_$USER
- ${SSH} -i $OBJ/cert_user_key \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -ne 0 ]; then
- fail "ssh cert connect failed"
- fi
+# Setup for AuthorizedPrincipalsCommand
+rm -f $OBJ/authorized_keys_$USER
+(
+ cat $OBJ/sshd_proxy_bak
+ echo "AuthorizedKeysFile none"
+ echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
+ "%u %t %T %i %s %F %f %k %K"
+ echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
+ echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+) > $OBJ/sshd_proxy
+
+# XXX test missing command
+# XXX test failing command
+
+# Empty authorized_principals
+verbose "$tid: empty authorized_principals"
+echo > $OBJ/authorized_principals_$USER
+${SSH} -i $OBJ/cert_user_key \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+fi
+
+# Wrong authorized_principals
+verbose "$tid: wrong authorized_principals"
+echo gregorsamsa > $OBJ/authorized_principals_$USER
+${SSH} -i $OBJ/cert_user_key \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+fi
+
+# Correct authorized_principals
+verbose "$tid: correct authorized_principals"
+echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+${SSH} -i $OBJ/cert_user_key \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+ fail "ssh cert connect failed"
+fi
+
+# authorized_principals with bad key option
+verbose "$tid: authorized_principals bad key opt"
+echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
+${SSH} -i $OBJ/cert_user_key \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+fi
+
+# authorized_principals with command=false
+verbose "$tid: authorized_principals command=false"
+echo 'command="false" mekmitasdigoat' > \
+ $OBJ/authorized_principals_$USER
+${SSH} -i $OBJ/cert_user_key \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+fi
+
+
+# authorized_principals with command=true
+verbose "$tid: authorized_principals command=true"
+echo 'command="true" mekmitasdigoat' > \
+ $OBJ/authorized_principals_$USER
+${SSH} -i $OBJ/cert_user_key \
+ -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+ fail "ssh cert connect failed"
+fi
+
+# Setup for principals= key option
+# TODO: remove?
+rm -f $OBJ/authorized_principals_$USER
+(
+ cat $OBJ/sshd_proxy_bak
+) > $OBJ/sshd_proxy
+
+# Wrong principals list
+verbose "$tid: wrong principals key option"
+(
+ printf 'cert-authority,principals="gregorsamsa" '
+ cat $OBJ/user_ca_key.pub
+) > $OBJ/authorized_keys_$USER
+${SSH} -i $OBJ/cert_user_key \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+fi
+
+# Correct principals list
+verbose "$tid: correct principals key option"
+(
+ printf 'cert-authority,principals="mekmitasdigoat" '
+ cat $OBJ/user_ca_key.pub
+) > $OBJ/authorized_keys_$USER
+${SSH} -i $OBJ/cert_user_key \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+ fail "ssh cert connect failed"
+fi
projects / openbsd / commitdiff